Online Password Security Tactics

Recently two more large databases were attacked and compromised, one at the popular Gawker Media sites and the other at McDonald’s. Every time this kind of thing happens (which is FAR too often) it should remind the technical professional to ensure that they secure their systems correctly. If you write software that stores passwords, it should be heavily encrypted, and not human-readable in any storage. I advocate a different store for the login and password, so that if one is compromised, the other is not. I also advocate that you set a bit flag when a user changes their password, and send out a reminder to change passwords if that bit isn’t changed every three or six months.

But this post is about the *other* side – what to do to secure your own passwords, especially those you use online, either in a cloud service or at a provider. While you’re not in control of these breaches, there are some things you can do to help protect yourself. Most of these are obvious, but they contain a few little twists that make the process easier.

Use Complex Passwords

This is easily stated, and probably one of the most un-heeded piece of advice. There are three main concepts here:

·Don’t use a dictionary-based word

·Use mixed case

·Use punctuation, special characters and so on

So this: password

Isn’t nearly as safe as this: P@ssw03d

Of course, this only helps if the site that stores your password encrypts it. Gawker does, so theoretically if you had the second password you’re in better shape, at least, than the first. Dictionary words are quickly broken, regardless of the encryption, so the more unusual characters you use, and the farther away from the dictionary words you get, the better.

Of course, this doesn’t help, not even a little, if the site stores the passwords in clear text, or the key to their encryption is broken. In that case…

Use a Different Password at Every Site

What? I have hundreds of sites! Are you kidding me? Nope – I’m not. If you use the same password at every site, when a site gets attacked, the attacker will store your name and password value for attacks at other sites. So the only safe thing to do is to use different names or passwords (or both) at each site. Of course, most sites use your e-mail as a username, so you’re kind of hosed there. So even though you have hundreds of sites you visit, you need to have at least a different password at each site.

But it’s easier than you think – if you use an algorithm.

What I’m describing is to pick a “root” password, and then modify that based on the site or purpose. That way, if the site is compromised, you can still use that root password for the other sites.

Let’s take that second password:

P@ssw03d

And now you can append, prepend or intersperse that password with other characters to make it unique to the site. That way you can easily remember the root password, but make it unique to the site. For instance, perhaps you read a lot of information on Gawker – how about these:

P@ssw03dRead

ReadP@ssw03d

PR@esasdw03d

If you have lots of sites, tracking even this can be difficult, so I recommend you use password software such as Password Safe or some other tool to have a secure database of your passwords at each site. DO NOT store this on the web. DO NOT use an Office document (Microsoft or otherwise) that is “encrypted” – the encryption office automation packages use is very trivial, and easily broken. A quick web search for tools to do that should show you how bad a choice this is.

Change Your Password on a Schedule

I know. It’s a real pain. And it doesn’t seem worth it…until your account gets hacked. A quick note here – whenever a site gets hacked (and I find out about it) I change the password at that site immediately (or quit doing business with them) and then change the root password on every site, as quickly as I can.

If you follow the tip above, it’s not as hard. Just add another number, year, month, day, something like that into the mix. It’s not unlike making a Primary Key in an RDBMS.

P@ssw03dRead10242010

Change the site, and then update your password database. I do this about once a month, on the first or last day, during staff meetings. (J)

If you have other tips, post them here. We can all learn from each other on this.

Kirchner - I wouldn't trust it, personally. Not for enterprise level stuff. It has a use-case, but not for my password safe.

Kirchner

14 Dec 2010 10:54 AM

Wow, that was fast :)

I'll give Password Safe a try. Thanks.

Ronald Dameron (@RonDBA)

15 Dec 2010 8:57 AM

So far I've survived by having a root password that is not a dictionary word, uses mixed case, numerics and special characters that I will never forget. Then, I tack on a mnemonic suffix for the different sites that I use that require a password. I'm very near the point of migrating to something like Password Safe because I find that I sometimes forget the suffix for a particular site if I don't visit enough. I second Password Safe as a recommendation. Used it at my last employer to store important passwords securely.

Password Safe is the only way I've found to keep my various worlds safe. Nice topic Buck.

Speedbird186

16 Dec 2010 7:36 AM

From a risk perspective, it might actually make sense to have a few different root passwords. Perhaps one root for banking sites, another for e-commerce sites and a third for online comments only. That way, the number of variations for each root is reduced, making it easier to remember.

The third root might as well not have any variations. Doesn't really matter if my commentx.com account gets hacked if the only place it'll work is on commenty.com -- provided the implications of hackers having access to both sites carries the same weight (as in, someone could post a comment on my behalf, but not shop or see credit card history, etc.)

ABob

22 Mar 2011 2:36 AM

I would disagree about MS office encryption. It was trivial in previous versions but since 2007 they have implemented AES which

makes brute forece search much harder.

There is one more thing I wanted to point here.

Unfortunately security and usability are somewhat fighting each other.

I mean the more security you impose the harder it is to use the system.

Talking about strong passwords.

Imagine you are using some really strong password like random letters as "k43,9a§%$Zha".

What are the chances that you will eventually forget it after a good vacation? I bet the chances are big.

This means a system designer must put measures to allow users to restore their passwords, recover them or allow generating new.

These special tools are also have to be implemented with highest details, one single mistake could break the entire system.

I was astonished once when I read about guys at http://passwordnow.com, which use clusters to run brute force search for users which

want to recover their data. It is really amasing how many poor people face the issue of getting their forgotten password.

My final advise is that users should think about forgetting their password and make a hard copy somewhere in the safe place.